Anti-Phishing Training for Small Businesses

Information Security Basics

When considering the basics of information and cyber security, it’s sometimes tempting to think that we are in the group that are ‘too smart’ to be fooled by anything as a simple phishing email. Perhaps this failure of imagination is in part because of the stereotypical, early days of the internet ‘scammer’ emails we tend to remember and joke about.

The reality is that phishing emails are still an enormous problem, not only for individuals but organisations too, with around 32% of all breaches still involving phishing, and user negligence playing a significant role in these incidents.

With 60% of small businesses closing their doors within six months of an attack and the average cost soaring to over £4,000, we’ve put together this anti-phishing training guide to get you started in identifying risks and raising awareness about the persistent threat that phishing attacks pose to SMEs like yours.

The Facts

43% of breaches involved small business victims

We may think of large organisations as being more lucrative targets for hackers and attackers, and although breaches can cost large businesses far more on average, SMEs represent a significant proportion of victims.

Only 32% of small businesses have cyber security policies

Despite the huge number of high-profile hacks and breaches that the last several years have seen, most small businesses lack a set of defined cyber security policies. Without these basic measures, an organisation opens themselves up to all kinds of problems, including issues of compliance, fines, breaches and more.

77% of all UK workers have never received any form of information security training from their employer

One of the major indications that industry still has a long way to go in terms of effective information security, is the fact that only 33% of UK workers have received any employer training in this area. Whilst taking into consideration the frequency with which employees routinely handle sensitive and personal information, it is surprising that businesses are so reluctant to invest in critical training. 

Defending Against Phishing Attacks

There’s no denying that systems, spam filters and firewalls can all play an important role in protecting an organisation from phishing threats. Despite being necessary, without informed and vigilant users these protections are never going to be a perfect solution to information security attacks.

Part of any effective information security training program is giving users the understanding and tools to defend themselves. Here are some of the key elements users need to be aware of to detect phishing attacks:


It may seem obvious, although taking a moment to check and double-check the address from which an email is coming can be extremely effective in detecting phishing emails. The most blatant of phishing emails may use non-sensical or gibberish addresses, however more sophisticated phishers can employee subtle tricks to obfuscate an email's nefarious purpose.

This may employ the substituting an ‘I’ for a ‘l’ or including an expected domain elsewhere in the address ( instead of At a glance, these addresses can appear legitimate, but if an email is requesting you take any action, such as logging in, making a transfer or giving up sensitive information, addresses should be given extra attention and confirmation.


Many phishing attacks attempt to implore a sense of urgency to the user. Terms such as ‘ASAP’ or ‘URGENT’ used in the subject line, or in the body of the text, can to some seem relatively innocuous, but phishers use these tactics to motivate users into making poorly considered ‘snap’ decisions.

Undoubtedly, you will occasionally receive legitimately urgent correspondence, and we certainly don’t recommend they be ignored; only that when urgency is conferred, users take the time to confirm requests are legitimate. Particularly in cases of monetary transfers, which should ideally be confirmed by the party via a separate channel (e.g. over the phone).


Many of us hold positions that require us to regularly send and receive information, much of which likely comes in the form of email attachments. Alhough there is nothing inherently wrong with this, attachments pose a significant information security risk when users are not certain about what they’re opening.

Like addresses, users should be particularly wary of strange or non-sensical file names, but the most important thing to consider when examining an attachment is file type. Given that different file types pose different risks, you should be especially wary of files ending in .exe or any file types you don’t recognise. The attacker may try to disguise this by putting a widely used file ‘type’ just before it; for instance “.pdf.exe”.

As with all these anti-phishing training techniques, taking that extra moment to check and verify the legitimacy of communications can avert serious information security incidents.


One of the most common techniques phishers use to extract sensitive information is by directing users to inauthentic pages designed to mimic legitimate and recognisable companies. These addresses are often obfuscated within emails, meaning before following a link, users should first inspect the URL or find an alternative route to the page.

Phishers and scammers can go to great lengths to build extremely convincing phishing pages designed to capture account login information, so just because a site looks correct, doesn’t necessarily mean it is legitimate.

*It should also be noted that when using mobile browsers, users should be wary as URLs are typically truncated because of the smaller screen, and inauthentic URLs may be less obvious.

Simulated Phishing Training

Only seven years ago, the user click rate for phishing emails was a whopping 25%, a figure which has fallen dramatically to around 3%. Although an obvious step in the right direction, with the risk that phishing poses to SMEs, alongside the frequency with which phishing attacks are sent, empowering employees to identify attacks is paramount.

Phishing simulations are a method by which an organisation sends its own employees’ suspicious emails to both measure user interaction, as well as educate about the risks of accidentally clicking on dangerous emails, links and attachments.

Rather than being used as a metric by which to punish employees, having access to quantifiable information regarding potential vulnerabilities allows an organisation to begin the process of improving behaviour, and of creating an effective secure culture.

Interactive and Engaging Information Security Training

By educating your staff regularly with interactive and knowledge-demonstrating tutorials, you don’t just help to improve compliance, but also reliably reduce the risks of human errors and change the standards of awareness.

Interactive and engaging awareness training, phishing simulator and learning management system.

As well as enabling employers to launch simulated phishing campaigns, Hut Six training features twenty-six comprehensive tutorials covering all aspects of information and cyber security.

Focused on demonstrating learning outcomes, with Hut Six’s learning management system (LMS), employers can assess and track the achievements of staff and better understand areas for improvement. Hut Six’s comprehensive solution builds a security aware culture by focusing on achieving meaningful behavioural change.

If you have found this Anti-Phishing Training Guide useful and you'd like to learn more about how you can protect and strengthen your business with unique and engaging information security awareness training, get in touch below.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Business Continuity Plan

What to Do if you Don’t Have a Business Continuity Plan

In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?

COVID-19 Phishing Attacks

Phishers Exploiting COVID-19 Coronavirus

Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.

Small Business Security Basics

SME Security is No Picnic

SME Security is No Picnic: problem in Chair not in Computer. Information security blog by information security awareness training provider Hut Six Security.

Data Protection Act for Businesses

How Does the Data Protection Act Affect Businesses?

How Does the Data Protection Act Affect Businesses? Rights, Obligations and Important Concepts. Blog by Hut Six Security.

Huawei Devices trigger a Google Warning

Google Warning Over Huawei Devices

Google Warning Over Huawei Devices: Huawei concerns continue. - blog by Information Security Awareness Training provider Hut Six Security

Data Protection Act Compensation

How Much Compensation for Breach of Data Protection Act?

How Much Compensation for Breach of Data Protection Act? Your Data Rights and Right to Compensation. Blog by Hut Six Security.

What is Phishing?

What is Phishing? In Computer Technology - It’s a Number 1 Threat

Phishing is a number one cyber threat, and awareness training is required to ensure all employees realise it's a business-critical matter.

Phishing Basics

What Does Phishing Mean in Computer Terms?

What does phishing mean in computer terms? The understanding of this term is at the core of Information Security awareness. Blog by Hut Six Security.

Protecting your Digital Information

How to Keep Information Secure on a Computer - the Easy Way

Protecting data on your computer in 5 steps: Password Protection, VPNs, Anti-virus, Software Updates and Security Awareness.

Phishing Texts or SMSs

How to Block Phishing Texts

Knowing How to Block Phishing Texts is vital to personal information security in the 21st century. Blog by Hut Six Security.

Speak to us about your Cyber Awareness